On Friday, businesses, governments and the UK’s National Health Service were left scrambling in the wake of a massive ransomware attack. The ‘WannaCry’ ransomware swiftly spread across 200,000 computers in 150 countries, causing Microsoft to issue an emergency patch for those still running outdated Windows XP systems. It turns out, this ransomware made use of a flaw that the NSA had been holding in its back pocket for years, causing Microsoft to speak out against government agencies ‘hoarding’ security vulnerabilities for their own uses, while also pointing out that customers need to stay on top of updates to remain secure.
In a blog post aimed to address the ‘WannaCry’ ransomware attack, Microsoft explained that the exploit originated from a list of attacks ‘hoarded’ by the US National Security Agency. These exploits were made public earlier this year and Microsoft quickly responded by patching the versions of Windows it still supports. However, not everyone has automatic updates enabled and worse yet, some customers are still running Windows XP, meaning a lot of systems were still left vulnerable.
While the post itself is quite lengthy, one of the key highlights is Microsoft’s call for customers to update their systems more regularly:
“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.”
From there, the post turns its attention to the governments of the world, who should treat this attack ‘as a wake-up call’:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
KitGuru Says: With cyber attacks becoming more prevalent, it is increasingly important to stay on top of software updates. This particular vulnerability was patched in modern versions of Windows around two months ago, if system updates were implemented more regularly across agencies and businesses, then this attack wouldn’t have got as far as it did. At the same time, Microsoft’s current reputation with buggy updates isn’t exactly helping the situation.